Qustion on viewing code

On 23 Feb, 18:38, "Steve" <no....@example.com> wrote:
> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>
> news:op.tn7q1znlqnv3q9@misant...| shimmyshack <matt.fa...@gmail.com> wrote:
> | Rik <luiheidsgoe...@hotmail.com> wrote:
>
> | >> Rik <luiheidsgoe...@hotmail.com> wrote:
> | >> > shimmyshack <matt.fa...@gmail.com> wrote:
> | >> >> This is the only statement in my httpd.conf:
> | >>
> | >> >> AddType application/x-httpd-php .php
> | >>
> | >> >> and yet the attack works.
> | >> >> The server doesnt have to be set up to parse every doc for php, that
> | >> >> was an assumption.
> | >> >> Has anyone here tried it on their server?
> | >>
> | >> > Attack does not work here on the local server....
> | >>
> | >> And the live server is also safe :-)
> | >
> | > out of interest what are you running, is php a module, ta.
> |
> | Homebox:
> | W2K, Apache 2.2.2, PHP 5.1.4 as a module.
> |
> | Live server:
> | FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a module.
>
> lol. it feels that way some times don't it. ;^)

steve with regards your previous offer, the phrase "i'm not worthy"
flashes into my shrivelled brain. Although of course it would be fun,
have you taken a look at the great CAL9000 stuff from RSnake (http://
http://www.owasp.org/index.php/Categ...9000_Project)? While not
specifically aimed at server side pen testing, it is the vector by
which your code could be introduced.

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1172257128.974602.324590@z35g2000cwz.googlegr oups.com...
| On 23 Feb, 18:38, "Steve" <no....@example.com> wrote:
| > "Rik" <luiheidsgoe...@hotmail.com> wrote in message
| >
| > news:op.tn7q1znlqnv3q9@misant...| shimmyshack <matt.fa...@gmail.com>
wrote:
| > | Rik <luiheidsgoe...@hotmail.com> wrote:
| >
| > | >> Rik <luiheidsgoe...@hotmail.com> wrote:
| > | >> > shimmyshack <matt.fa...@gmail.com> wrote:
| > | >> >> This is the only statement in my httpd.conf:
| > | >>
| > | >> >> AddType application/x-httpd-php .php
| > | >>
| > | >> >> and yet the attack works.
| > | >> >> The server doesnt have to be set up to parse every doc for php,
that
| > | >> >> was an assumption.
| > | >> >> Has anyone here tried it on their server?
| > | >>
| > | >> > Attack does not work here on the local server....
| > | >>
| > | >> And the live server is also safe :-)
| > | >
| > | > out of interest what are you running, is php a module, ta.
| > |
| > | Homebox:
| > | W2K, Apache 2.2.2, PHP 5.1.4 as a module.
| > |
| > | Live server:
| > | FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a
module.
| >
| > lol. it feels that way some times don't it. ;^)
|
| steve with regards your previous offer, the phrase "i'm not worthy"
| flashes into my shrivelled brain. Although of course it would be fun,
| have you taken a look at the great CAL9000 stuff from RSnake (http://
| http://www.owasp.org/index.php/Categ...9000_Project)? While not
| specifically aimed at server side pen testing, it is the vector by
| which your code could be introduced.

i'm pretty clueless with hacking methods not too far into the topic. i do
have script that 'inventories' a site. the information it provides is a good
documentation tool when presenting file dependencies or architecture...it is
also scary to believe that i could execute it on someone else's server.

i'll have a look at the link. the real test is knowing how to introduce the
script so that it can be executed. failing the test would mean that i know
more than enough about the site tested to control it at will. i'll have to
shelve it for a while till i can get to putting it all together.

cheers

On 23 Feb, 19:11, "Steve" <no....@example.com> wrote:
> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>
> news:1172257128.974602.324590@z35g2000cwz.googlegr oups.com...
> | On 23 Feb, 18:38, "Steve" <no....@example.com> wrote:
> | > "Rik" <luiheidsgoe...@hotmail.com> wrote in message
> | >
> | >news:op.tn7q1znlqnv3q9@misant...|shimmyshack <matt.fa...@gmail.com>
> wrote:
> | > | Rik <luiheidsgoe...@hotmail.com> wrote:
> | >
> | > | >> Rik <luiheidsgoe...@hotmail.com> wrote:
> | > | >> > shimmyshack <matt.fa...@gmail.com> wrote:
> | > | >> >> This is the only statement in my httpd.conf:
> | > | >>
> | > | >> >> AddType application/x-httpd-php .php
> | > | >>
> | > | >> >> and yet the attack works.
> | > | >> >> The server doesnt have to be set up to parse every doc for php,
> that
> | > | >> >> was an assumption.
> | > | >> >> Has anyone here tried it on their server?
> | > | >>
> | > | >> > Attack does not work here on the local server....
> | > | >>
> | > | >> And the live server is also safe :-)
> | > | >
> | > | > out of interest what are you running, is php a module, ta.
> | > |
> | > | Homebox:
> | > | W2K, Apache 2.2.2, PHP 5.1.4 as a module.
> | > |
> | > | Live server:
> | > | FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a
> module.
> | >
> | > lol. it feels that way some times don't it. ;^)
> |
> | steve with regards your previous offer, the phrase "i'm not worthy"
> | flashes into my shrivelled brain. Although of course it would be fun,
> | have you taken a look at the great CAL9000 stuff from RSnake (http://
> |http://www.owasp.org/index.php/Categ...Project)?While not
> | specifically aimed at server side pen testing, it is the vector by
> | which your code could be introduced.
>
> i'm pretty clueless with hacking methods not too far into the topic. i do
> have script that 'inventories' a site. the information it provides is a good
> documentation tool when presenting file dependencies or architecture...it is
> also scary to believe that i could execute it on someone else's server.
>
> i'll have a look at the link. the real test is knowing how to introduce the
> script so that it can be executed. failing the test would mean that i know
> more than enough about the site tested to control it at will. i'll have to
> shelve it for a while till i can get to putting it all together.
>
> cheers

send me an email when you have time, and I'll do what I can to help in
any way I can, it sounds like a very interesting project, and useful
too. Might be a welcome addon to OWASP who have inttroduced the PHP
top ten and would support the ongoing effort into a project like this.
Not too sure about the name though!

shimmyshack <matt.farey@gmail.com> wrote:
> Rik <luiheidsgoe...@hotmail.com> wrote:
>> >> > Attack does not work here on the local server....
>> >> And the live server is also safe :-)
>> > out of interest what are you running, is php a module, ta.
>>
>> Homebox:
>> W2K, Apache 2.2.2, PHP 5.1.4 as a module.
>>
>> Live server:
>> FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a
>> module.
> Ive sent you an email to the hotmail address luihei...
> just to help me clear up a few details. Thanks for the above details.

To answer publically: followed the little tutorial to the letter (well,
system('ls'); should be system('dir'); here), and no banana: clean output
of the php script in the image, and not my dir contents.

To tell you the truth: I haven't go the foggiest idea _why_ it works, so I
couldn't say which setting it is. I could mail you the main portions of my
apache config, but as it is apparantly a Windows vulnerability, any of
numerous windows settings could be the one that does it. Mind you, I do
have a very nlited version of W2K (google nlite, great for stripping down
unwanted bullshit from Windows), so I won't have you typical Windows
installation. Tomorrow I'll put XAMPP on a WXP64 box here, let's see what
that full installation does.

--
Rik Wasmus

shimmyshack wrote:
> On 23 Feb, 11:15, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Steve wrote:
>>> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>>> news:op.tn6pvcviqnv3q9@misant...
>>> | Steve <no....@example.com> wrote:
>>> | > find a server that parses all documents via php instead of by extension,
>>> | > ....
>>> | >
>>> | > it's not hard to hack any site...it just takes a bit of knowledge and
>>> | > some desire.
>>> |
>>> | And in this case, both an insane webserver setting and a either no or a
>>> | bogus check on files after upload... Usually it would be much, much
>>> harder.
>>> true. however sadly, *most* web servers (apache anyway) out there at least
>>> parse all documents through php even if the extension is different...things
>> Do you have proof of this statement? I find just the opposite - very
>> few servers parse non-html files through PHP - and most of those who do
>> change when told about the security implications.
>>
>>> like .css or .jpg, or what have you. this is the critical part. as long as
>>> this is the configuration, you can find *many* ways to get your script onto
>>> their server. and you will have enough authorization to access any system
>>> directory that php has access to...even those not in the web root.
>>> this is not just a php issue, asp and others have the same problem. people
>>> are not ever as aware as they should be when it comes to security. myself
>>> included.
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> This is the only statement in my httpd.conf:
>
> AddType application/x-httpd-php .php
>
> and yet the attack works.
> The server doesnt have to be set up to parse every doc for php, that
> was an assumption.
> Has anyone here tried it on their server?
>

The attack doesn't work either on my test system or any of my live
systems, either. Files containing PHP code which do not have the .php
extension are not parsed.

And where uploads are possible, files with a .php extension are not
allowed. So they're safe.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================